Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

gmer stopped in middle of running


  • Please log in to reply
30 replies to this topic

#1 peewee30

peewee30

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 16 August 2011 - 11:09 AM

Referred from here: http://www.bleepingcomputer.com/forums/topic414400.html ~ OB

Gmer was running per instruction but stopped and the gmer window is not on the screen anymore.

As per boopme's instruction this is the dds file created:



.
DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Administrator at 8:40:46 on 2011-08-16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.349 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\3203397148:3809022017.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\Defogger.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uSearch Page = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
mSearchAssistant = hxxp://search.bearshare.com/sidebar.html?src=ssb
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: TTB000000 Class: {62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} - c:\windows\COUPON~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
uRun: [RecordNow!]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [WinPatrol] c:\progra~1\billps~1\winpat~1\winpatrol.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVMV0gtR0JZUzQtOU5USEQtUUE3WEQtQzJRSEgtTkZGS0o"&"inst=NzctNjYyMDQ5OTc3LUJBKzEtS1YzKzctWEwrMS1UNC1YTzM2KzEtVEI5KzItRkwrOS1GOU03Qys1LUY5TTEwQisxLUY5TTEwQSsxLUY5TTIrMS1ERFQrMC1GTDEwKzE"&"prod=90"&"ver=10.0.1325
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\npjpi150_09.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
LSP: mswsock.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {09883431-7429-11D5-8B69-0050049F5256} - hxxps://www.metrobankdirect.com/download/Authentic/VBAuthentic.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{A5AFDD7E-01EC-42EC-AB9F-DF8DCAA91743} : DhcpNameServer = 10.0.0.1
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 212.227.64.159 www.winmx.com
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-7-16 441176]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-7-16 309848]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-7-16 19544]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-7-16 42184]
S2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [2011-5-22 99896]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-5-4 10384]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-3 366640]
S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2010-4-22 25824]
S2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2010-4-30 14088]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-3 22712]
.
=============== Created Last 30 ================
.
2011-08-15 16:10:22 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-15 16:10:22 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-15 16:09:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-14 22:17:48 -------- d-----w- c:\program files\Malwar
2011-08-14 19:53:33 -------- d-----w- c:\program files\Malware
2011-08-04 05:15:09 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-04 05:15:04 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
==================== Find3M ====================
.
2011-08-16 15:26:14 90112 ----a-w- c:\windows\DUMPa037.tmp
2011-08-15 22:10:16 90112 ----a-w- c:\windows\DUMP9d88.tmp
2011-08-15 22:09:09 90112 ----a-w- c:\windows\DUMPabff.tmp
2011-08-15 16:25:09 90112 ----a-w- c:\windows\DUMP9da7.tmp
2011-08-15 16:24:04 90112 ----a-w- c:\windows\DUMPa901.tmp
2011-08-15 16:22:35 90112 ----a-w- c:\windows\DUMPa97e.tmp
2011-08-15 16:21:26 90112 ----a-w- c:\windows\DUMP9c30.tmp
2011-08-15 16:20:16 90112 ----a-w- c:\windows\DUMPa46d.tmp
2011-08-15 16:19:01 90112 ----a-w- c:\windows\DUMP98e4.tmp
2011-08-15 16:13:26 90112 ----a-w- c:\windows\DUMPa6fe.tmp
2011-08-15 15:50:38 90112 ----a-w- c:\windows\DUMPa6cf.tmp
2011-08-14 17:01:52 90112 ----a-w- c:\windows\DUMPa5d5.tmp
2011-08-14 09:32:26 90112 ----a-w- c:\windows\DUMP92ba.tmp
2011-08-14 09:31:04 90112 ----a-w- c:\windows\DUMP8f6e.tmp
2011-08-14 09:30:08 90112 ----a-w- c:\windows\DUMP9c9d.tmp
2011-08-14 09:28:53 90112 ----a-w- c:\windows\DUMP9df5.tmp
2011-08-14 09:27:38 90112 ----a-w- c:\windows\DUMP9d0b.tmp
2011-08-14 09:26:31 90112 ----a-w- c:\windows\DUMP9191.tmp
2011-08-14 09:25:36 90112 ----a-w- c:\windows\DUMPa71d.tmp
2011-07-04 11:43:53 40112 ----a-w- c:\windows\avastSS.scr
2011-07-04 11:36:43 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2005-03-03 10:41:41 823296 ----a-w- c:\program files\winmx353.exe
.
============= FINISH: 8:42:11.12 ===============

Attached Files


Edited by Orange Blossom, 16 August 2011 - 11:41 AM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:33 AM

Posted 21 August 2011 - 07:57 AM

hi peewee30,

If you still need help simply reply back. Did a updated Malwarebytes come up clean after a scan?

How Can I Reduce My Risk to Malware?


#3 peewee30

peewee30
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 22 August 2011 - 10:45 AM

hi shelf life!

i haven't done anything as the instructions told me to wait for a team member to contact me on what to do next... before i was given instructions last week i tried scanning with avast it found a rootkit and the filename is 3203397148:3809022017.exe... avast can't take it out no matter if i try to delete or move to chest... i hope you'll be able to help me out as i've been down without a computer for a week now...

thanks so much for the help!

#4 shelf life

shelf life

  • Malware Response Team
  • 2,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:33 AM

Posted 22 August 2011 - 05:16 PM

ok since you mentioned rootkit we will start with Tdsskiller;

Please download TDSS Killer.exe and save it to your desktop

Double click to launch the utility. Vista and Windows 7 right click and "run as admin.." After it initializes click the start scan button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.


A report can also be found in your Root drive Local Disk © as TDSSKiller.2.4.12.0_02.01.2011_17.32.21_log.txt (name, version, date, time, log.txt)

Please post the log report

How Can I Reduce My Risk to Malware?


#5 peewee30

peewee30
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 22 August 2011 - 05:44 PM

tried using tdss killer.exe but stopped after scanning in a minute... i tried again but a windows pop-up message said "windows cannot access the specified device, path, or file. you may not have the appropriate permissions to access the item."... anything else i can do to make it work?... thanks for the help...

#6 shelf life

shelf life

  • Malware Response Team
  • 2,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:33 AM

Posted 23 August 2011 - 03:45 PM

Try booting into safe mode to run tdsskiller: To reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list safe mode. Log into your usual account. Once at the safe mode desk top try running it.

How Can I Reduce My Risk to Malware?


#7 peewee30

peewee30
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 23 August 2011 - 04:06 PM

I'm running already under safe mode with networking when I run tdss killer.exe because my computer just gives a blue screen with numbers for a minute then would start with the windows screen followed by the blue screen again and it's just going on as a cycle.

#8 shelf life

shelf life

  • Malware Response Team
  • 2,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:33 AM

Posted 23 August 2011 - 07:06 PM

ok forget tdsskiller for now. We will move on to combofix. there is a guide to read first. Read through the guide then apply the directions on your own machine. Combofix may not run with certain AV installed. Avast may be one of them. If combofix gives you a warning about Avast then you will have to uninstall Avast via the add/remove programs panel, reboot and then run combofix. If combofix gives problems in 'normal' mode then try running it in safe mode.

Guide to using Combofix

How Can I Reduce My Risk to Malware?


#9 peewee30

peewee30
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 23 August 2011 - 09:07 PM

Is it ok to run combofix in safe mode w/ networking because that's the only way I can boot-up my computer since I got the virus.

#10 peewee30

peewee30
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 24 August 2011 - 12:08 PM

Hi shelf life!

This is the combofix log file after it scanned my computer. Please let me know what the next step will be. Thank you!



ComboFix 11-08-24.02 - arcee 08/24/2011 9:32.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.296 [GMT -7:00]
Running from: c:\documents and settings\arcee\Desktop\ComboFix.exe
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\arcee\WINDOWS
c:\windows\$NtUninstallKB3255$
c:\windows\$NtUninstallKB3255$\1598268309
c:\windows\$NtUninstallKB3255$\485945278\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB3255$\485945278\L\yaywbcos
c:\windows\$NtUninstallKB3255$\485945278\loader(2)(2).tlb
c:\windows\$NtUninstallKB3255$\485945278\loader(3)(2).tlb
c:\windows\$NtUninstallKB3255$\485945278\loader(4)(2).tlb
c:\windows\$NtUninstallKB3255$\485945278\loader(5)(2).tlb
c:\windows\$NtUninstallKB3255$\485945278\loader(6)(2).tlb
c:\windows\$NtUninstallKB3255$\485945278\loader(7)(2).tlb
c:\windows\$NtUninstallKB3255$\485945278\loader(8)(2).tlb
c:\windows\$NtUninstallKB3255$\485945278\loader.tlb
c:\windows\$NtUninstallKB3255$\485945278\U\@00000001
c:\windows\$NtUninstallKB3255$\485945278\U\@000000c0
c:\windows\$NtUninstallKB3255$\485945278\U\@000000cb
c:\windows\$NtUninstallKB3255$\485945278\U\@000000cf
c:\windows\$NtUninstallKB3255$\485945278\U\@80000000
c:\windows\$NtUninstallKB3255$\485945278\U\@800000c0
c:\windows\$NtUninstallKB3255$\485945278\U\@800000cb
c:\windows\$NtUninstallKB3255$\485945278\U\@800000cf
c:\windows\system32\c_47915.nls
.
Infected copy of c:\windows\system32\Drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_1cf6efbe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-24 to 2011-08-24 )))))))))))))))))))))))))))))))
.
.
2011-08-24 16:27 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-24 16:27 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\dllcache\ipsec.sys
2011-08-22 22:48 . 2011-08-22 22:48 -------- d--h--w- c:\windows\PIF
2011-08-15 16:10 . 2011-08-15 16:10 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-14 22:17 . 2011-08-15 16:09 -------- d-----w- c:\program files\Malwar
2011-08-04 05:15 . 2011-07-07 02:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-04 05:15 . 2011-07-07 02:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-16 15:26 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMPa037.tmp
2011-08-15 22:10 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP9d88.tmp
2011-08-15 22:09 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMPabff.tmp
2011-08-15 16:25 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP9da7.tmp
2011-08-15 16:24 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMPa901.tmp
2011-08-15 16:22 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMPa97e.tmp
2011-08-15 16:21 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP9c30.tmp
2011-08-15 16:20 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMPa46d.tmp
2011-08-15 16:19 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP98e4.tmp
2011-08-15 16:13 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMPa6fe.tmp
2011-08-15 15:50 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMPa6cf.tmp
2011-08-14 17:01 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMPa5d5.tmp
2011-08-14 09:32 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP92ba.tmp
2011-08-14 09:31 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP8f6e.tmp
2011-08-14 09:30 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP9c9d.tmp
2011-08-14 09:28 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP9df5.tmp
2011-08-14 09:27 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP9d0b.tmp
2011-08-14 09:26 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP9191.tmp
2011-08-14 09:25 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMPa71d.tmp
2005-03-03 10:41 . 2005-03-03 10:41 823296 ----a-w- c:\program files\winmx353.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-08 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-07 4730880]
"nwiz"="nwiz.exe" [2004-04-07 323584]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"WinPatrol"="c:\progra~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2005-12-13 222784]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 286720]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-08-25 98304]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVMV0gtR0JZUzQtOU5USEQtUUE3WEQtQzJRSEgtTkZGS0o&inst=NzctNjYyMDQ5OTc3LUJBKzEtS1YzKzctWEwrMS1UNC1YTzM2KzEtVEI5KzItRkwrOS1GOU03Qys1LUY5TTEwQisxLUY5TTEwQSsxLUY5TTIrMS1ERFQrMC1GTDEwKzE&prod=90&ver=10.0.1325" [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-02-19 07:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=c:\windows\pss\DataViz Inc Messenger.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2003-05-23 02:55 483328 ----a-w- c:\windows\system32\hphmon05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Memeo Instant Backup]
2010-04-23 00:33 136416 ----a-w- c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Memeo Send]
2009-11-05 00:29 236816 ----a-w- c:\program files\Memeo\Memeo Send\MemeoLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Dashboard]
2010-04-30 14:47 79112 ----a-w- c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-31 00:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [5/22/2011 5:04 PM 99896]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [5/4/2009 6:39 PM 10384]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/3/2011 10:15 PM 366640]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [4/22/2010 5:33 PM 25824]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [4/30/2010 7:47 AM 14088]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/3/2011 10:15 PM 22712]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: download.com
TCP: DhcpNameServer = 192.168.0.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {09883431-7429-11D5-8B69-0050049F5256} - hxxps://www.metrobankdirect.com/download/Authentic/VBAuthentic.cab
FF - ProfilePath - c:\documents and settings\arcee\Application Data\Mozilla\Firefox\Profiles\gwf2rw3r.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - %profile%\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - (no file)
HKCU-Run-RecordNow! - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-24 09:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(736)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(3300)
c:\windows\system32\WININET.dll
c:\progra~1\BILLPS~1\WINPAT~1\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Apoint2K\Apntex.exe
.
**************************************************************************
.
Completion time: 2011-08-24 10:01:38 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-24 17:01
.
Pre-Run: 43,589,943,296 bytes free
Post-Run: 45,953,622,016 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - E40153599967A25D9FFBE8963097DBA6

#11 shelf life

shelf life

  • Malware Response Team
  • 2,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:33 AM

Posted 25 August 2011 - 08:30 PM

hi,

ok good. Now try running combofix after a normal start up. If all goes ok also check malwarebytes for updates and scan with it.

How Can I Reduce My Risk to Malware?


#12 peewee30

peewee30
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 26 August 2011 - 03:45 PM

Hi shelf life!

This is my latest combofix log after you instructed me to run it 1 more time. Also, I'm including the log file for my malwarebytes scan. Please let me know what's the next thing to do.

Thank you so much for the help.



This is the combofix log file:




ComboFix 11-08-26.04 - arcee 08/26/2011 9:06.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.191 [GMT -7:00]
Running from: c:\documents and settings\arcee\Desktop\ComboFix.exe
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((( Files Created from 2011-07-26 to 2011-08-26 )))))))))))))))))))))))))))))))
.
.
2011-08-24 16:27 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-24 16:27 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\dllcache\ipsec.sys
2011-08-22 22:48 . 2011-08-22 22:48 -------- d--h--w- c:\windows\PIF
2011-08-15 16:10 . 2011-08-15 16:10 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-14 22:17 . 2011-08-15 16:09 -------- d-----w- c:\program files\Malwar
2011-08-04 05:15 . 2011-07-07 02:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-04 05:15 . 2011-07-07 02:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-16 15:26 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMPa037.tmp
2011-08-15 22:10 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP9d88.tmp
2011-08-15 22:09 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMPabff.tmp
2011-08-15 16:25 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP9da7.tmp
2011-08-15 16:24 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMPa901.tmp
2011-08-15 16:22 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMPa97e.tmp
2011-08-15 16:21 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP9c30.tmp
2011-08-15 16:20 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMPa46d.tmp
2011-08-15 16:19 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP98e4.tmp
2011-08-15 16:13 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMPa6fe.tmp
2011-08-15 15:50 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMPa6cf.tmp
2011-08-14 17:01 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMPa5d5.tmp
2011-08-14 09:32 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP92ba.tmp
2011-08-14 09:31 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP8f6e.tmp
2011-08-14 09:30 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP9c9d.tmp
2011-08-14 09:28 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP9df5.tmp
2011-08-14 09:27 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP9d0b.tmp
2011-08-14 09:26 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMP9191.tmp
2011-08-14 09:25 . 2004-11-24 22:48 90112 ----a-w- c:\windows\DUMPa71d.tmp
2005-03-03 10:41 . 2005-03-03 10:41 823296 ----a-w- c:\program files\winmx353.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-24_16.53.40 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-08 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-07 4730880]
"nwiz"="nwiz.exe" [2004-04-07 323584]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"WinPatrol"="c:\progra~1\BILLPS~1\WINPAT~1\winpatrol.exe" [2005-12-13 222784]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 286720]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-08-25 98304]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVMV0gtR0JZUzQtOU5USEQtUUE3WEQtQzJRSEgtTkZGS0o&inst=NzctNjYyMDQ5OTc3LUJBKzEtS1YzKzctWEwrMS1UNC1YTzM2KzEtVEI5KzItRkwrOS1GOU03Qys1LUY5TTEwQisxLUY5TTEwQSsxLUY5TTIrMS1ERFQrMC1GTDEwKzE&prod=90&ver=10.0.1325" [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-02-19 07:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=c:\windows\pss\DataViz Inc Messenger.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2003-05-23 02:55 483328 ----a-w- c:\windows\system32\hphmon05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Memeo Instant Backup]
2010-04-23 00:33 136416 ----a-w- c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Memeo Send]
2009-11-05 00:29 236816 ----a-w- c:\program files\Memeo\Memeo Send\MemeoLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Dashboard]
2010-04-30 14:47 79112 ----a-w- c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-31 00:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [5/22/2011 5:04 PM 99896]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [5/4/2009 6:39 PM 10384]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/3/2011 10:15 PM 366640]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [4/22/2010 5:33 PM 25824]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [4/30/2010 7:47 AM 14088]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/3/2011 10:15 PM 22712]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: download.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {09883431-7429-11D5-8B69-0050049F5256} - hxxps://www.metrobankdirect.com/download/Authentic/VBAuthentic.cab
FF - ProfilePath - c:\documents and settings\arcee\Application Data\Mozilla\Firefox\Profiles\gwf2rw3r.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - %profile%\extensions\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-26 09:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(728)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(3036)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-08-26 10:40:25
ComboFix-quarantined-files.txt 2011-08-26 17:40
ComboFix2.txt 2011-08-24 17:01
.
Pre-Run: 49,438,994,432 bytes free
Post-Run: 49,425,387,520 bytes free
.
- - End Of File - - 5CA7FD7FD74AA6EBDE6D8B0D79538818




This is the malwarebytes log file:



Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7582

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/26/2011 1:03:20 PM
mbam-log-2011-08-26 (13-03-20).txt

Scan type: Full scan (C:\|)
Objects scanned: 272778
Time elapsed: 1 hour(s), 30 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 shelf life

shelf life

  • Malware Response Team
  • 2,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:33 AM

Posted 26 August 2011 - 07:01 PM

that all looks ok. I havent seen WinMx in a long time. I assume you installed that and know what it is? Right? If you dont know then look for the uninstaller in the add/remove programs panel. Could just be some stray leftovers and its already been uinstalled.

How Can I Reduce My Risk to Malware?


#14 peewee30

peewee30
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 27 August 2011 - 02:23 AM

Winmx was the program I was using to download music before but I haven't used it in ages. Do you want me to just uninstall it since I don't use it anymore? What else do I need to do next? Also, in one of the instructions given there was a defrogger that disables the cd something (sorry I forgot the name), do I need to re-enable it in my computer? How can I do that? Thanks so much.

#15 peewee30

peewee30
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 27 August 2011 - 02:26 AM

One more thing I forgot to ask, I uninstalled Avast on my computer because it needed to be uninstalled to make one of the instructions go through can I now download Avast on my computer again? Thanks again for the help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users